Skip to content

Add minimal GITHUB_TOKEN permissions to workflows#416

Merged
kplattret merged 3 commits into
mainfrom
update-github-workflow-permissions
Jun 18, 2026
Merged

Add minimal GITHUB_TOKEN permissions to workflows#416
kplattret merged 3 commits into
mainfrom
update-github-workflow-permissions

Conversation

@kplattret

Copy link
Copy Markdown
Member

Summary

Adds explicit, least-privilege permissions blocks to the workflows that lacked one, fixing the actions/missing-workflow-permissions code-scanning alerts. Restricting GITHUB_TOKEN to the minimum needed limits the blast radius if a step or dependency is compromised.

Changes

Top-level permissions: contents: read — read-only is sufficient (checkout only; publishing uses dedicated secret tokens, not GitHub write scopes):

Workflow Publishing mechanism
csharp.yml NuGet (NUGET_API_KEY)
go.yml
node.yml npm (NPM_TOKEN)
php.yml downstream sync via SSH deploy_key
python.yml PyPI (PYPI_API_TOKEN)
ruby.yml RubyGems (GEM_HOST_API_KEY)

Top-level contents: read + a job-level write grant — these have release jobs that genuinely need write access, so a blanket read would break them:

  • java.yml / java7.yml — the create_github_release job gets contents: write (git tag via mathieudutour/github-tag-action + release via softprops/action-gh-release).
  • rust.yml — the publish job gets contents: write + pull-requests: write (release-plz opens release PRs and creates tags/releases).

A job-level permissions block fully overrides the top-level one, so each release job lists exactly the scopes it needs while every other job inherits the safe contents: read.

Not changed: codeql.yml already defines permissions on both of its jobs, so no alert fires there.

🤖 Generated with Claude Code

Fixes the missing-workflow-permissions code scanning alerts by adding
explicit least-privilege permissions blocks. Most workflows only need
contents: read (publishing uses dedicated secret tokens). The Java,
Java7, and Rust release jobs additionally get job-level write scopes:
contents: write for tag/release creation, plus pull-requests: write for
release-plz. codeql.yml already sets job-level permissions, so it's
unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@kplattret
kplattret requested a review from a team as a code owner June 17, 2026 16:05
@kplattret

Copy link
Copy Markdown
Member Author

The build/test jobs for every language (csharp, go, java, java7, nodejs, php, python, ruby, rust) ran with the new contents: read permission and passed. This confirms that the tightened token scope didn't break anything.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions workflows by explicitly setting least-privilege GITHUB_TOKEN permissions, addressing actions/missing-workflow-permissions code-scanning alerts and reducing token blast radius.

Changes:

  • Added top-level permissions: contents: read to workflows that only need to check out and build/test/publish via external registry tokens.
  • Added job-level permission overrides for release jobs that need to create tags/releases or open PRs (contents: write, plus pull-requests: write for Rust).
  • Left existing CodeQL workflow permissions as-is (already explicitly set).

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/rust.yml Adds top-level read-only permissions; grants write permissions only to the publish job for release automation.
.github/workflows/ruby.yml Adds top-level contents: read permissions.
.github/workflows/python.yml Adds top-level contents: read permissions.
.github/workflows/php.yml Adds top-level contents: read permissions.
.github/workflows/node.yml Adds top-level contents: read permissions.
.github/workflows/java7.yml Adds top-level contents: read; grants contents: write to the GitHub release job.
.github/workflows/java.yml Adds top-level contents: read; grants contents: write to the GitHub release job.
.github/workflows/go.yml Adds top-level contents: read permissions.
.github/workflows/csharp.yml Adds top-level contents: read permissions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/java.yml Outdated
Comment thread .github/workflows/java7.yml Outdated
kplattret and others added 2 commits June 17, 2026 18:19
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Explain why PRs that don't touch every language produce a neutral
"configurations not found" code scanning result, and that the check
shouldn't require a success conclusion in branch protection.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated no new comments.

@kplattret
kplattret merged commit 2f1a88c into main Jun 18, 2026
47 checks passed
@kplattret
kplattret deleted the update-github-workflow-permissions branch June 18, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants